Security researchers can now earn money by finding bugs in the Arc browser, the company has revealed.
The Browser Company, the owners and maintainers of the software, have announced a new bounty program to help them plug dangerous holes.
Rather unimaginatively called the Arc Bug Bounty Program, users can hunt for bugs on macOs and Windows, and in the Arc Search on the iOS platform.
Arc browser flaws
Depending on the severity of the vulnerability discovered, the researchers can expect different payouts.
Low-severity issues can earn them up to $500, medium ones anywhere between $500 and $2,500, while high ones pay out between $2,500 and $10,000. Discovering a critical vulnerability, which grants full system access or can otherwise result in significant impact, pays out anywhere between $10,000 and $20,000.
The Browser Company decided to set up its own bug bounty program after being tipped off about CVE-2024-45489.
This was a critical vulnerability affecting versions before 2024-08-26, allowing for remote code execution through JavaScript boosts. In the Arc browser, “Boosts” are tools that allow users to customize websites by changing their appearance or functionality.
The problem arises from misconfigured Firebase Access Control Lists (ACLs), which allow attackers to create or update a JavaScript boost using another user’s ID. This leads to the malicious installation of the boost in the victim’s browser, where it runs arbitrary code with elevated privileges. Despite the severity, this vulnerability is categorized as a “no-action” issue, meaning there are zero affected users due to cloud protections. This is also probably why the researcher who disclosed the vulnerability was only awarded $2,000 for their discovery.
The bug was addressed in late August 2024, by disabling auto-syncing of Boosts with JavaScript. Furthermore, late last month, the team added a toggle to turn off all Boost-related features.
Via BleepingComputer